Canisters

Today’s fast-paced business environment and the move to digitally-enabled is driving software developers to become more agile in order to respond to the needs of the enterprise. As a result, new paradigms for software development are being adopted including Continuous Integration (CI) and Continuous Deployment (CD) along with Agile project management. Developers and system administrators are being brought together to collaborate in the style of DevOps which is driving fundamental changes in the way that servers are being managed and deployed.

An exciting new tool in the DevOps model is the container. This is actually relatively old technology that is now finding its niche and changing the way applications are deployed. Containers allow developers to package their applications in a single image file that can be run on any server with the same base operating system (e.g. Linux).

Unfortunately, containers have some inherent security vulnerabilities. Containers, unlike traditional virtual machines, have no isolation guarantees. A compromise in one container can lead to compromises of other containers and the host itself since users aren’t namespaced. A container that causes a kernel panic will take down the whole host platform. Of course, the security of the image itself (has it been modified in some way?) is also something container developers need to be concerned with.

Using the same technology used in the Firenode™, IDfusion has developed modifications to the standard container that address these serious security concerns. The result is something we call a “canister.” A canister is a complete, standalone, run-able image that perfectly fits the CI/CD model of DevOps while providing the best in security. Simply put, a canister is a container with a label (measurement) associated with it. Canister images are fully encrypted which allows them to be verified before they are run. Each canister can be unique from all others (have its own identity) even if it is identical in function to another. Once the canister is loaded and running, the host system is able to monitor the measurement state of each container and offer the same security guarantees as the Firenode™.

In addition to traditional data center uses and cloud-based operations, IDfusion’s canisters are ideal for developers working in the Internet of Things. A canister provides a convenient way to distribute system updates with complete protection against zero-day attacks. A canister blocks any action that would take the container out of measurement and, optionally, continues running. In the meantime, the developer will be notified of the event and have access to forensic information that can be used to determine what happened and, if necessary, develop a fix. If the canister image changes, it can simply be pushed out to all of your devices complete with a new measurement that completely protects your device.

So, if your company is leveraging containers as a way to speed up and improve the reliability of your application deployments, either in your data center or the cloud, or if you are developing for devices in the Internet of Things, IDfusion’s canister technology will give you peace-of-mind that your application is secure!